Multiple filter compilation/filtering in offline mode ??

[V K <vik.kaul () yahoo com>]

Folks

 I have pcap traces which I am reading via the pcap_ C API. ( pcap_open_offline()  and pcap_next()...)

 What I want to do is to have several filters say

filter1:  (ip.proto==TCP && tcp.dstport==100012)
filter2:  (ip.proto==UDP && (udp.srcport==60035 | udp.dstport==10000))
filter3:  <something>
..
and so on

And once packet is read using pcap_next(), I want to check that packet
against all filters and mark the filter that matches the packet

Is there a way one could compile multiple filters, read the packets and
for each packet check true/false for individual filter matches ? I presume
I can have several compiled filters, but how do I apply them one at a time
to a packet that has already been read from the offline pcap file

Alternately, is there another way to do this using the existing pcap_
libraries ?

This would extend itself to a "live" capture program as well, where _ALL_
packets would be sniffed (without any filter) and as each packet is read, it is then compared against individual 
filters to find the matching one

Any pointers are welcome

Thanks
vk

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.